A possibility to circumvent protection against cross-site request
forgery (CSRF) attacks was found in Ruby on Rails. Quoting upstream
security advisory for exact details:
There is a bug in all 2.1.x versions of Ruby on Rails which affects
the effectiveness of the CSRF protection given by protect_from_forgery.
By design rails does not perform token verification on requests with certain content types not typically generated by browsers. Unfortunately this list also included ‘text/plain’ which can be generated by browsers.
Requests can be crafted which will circumvent the CSRF protection entirely. Rails does not parse the parameters provided with these requests, but that may not be enough to protect your application.
This issue affects the versions of the rubygem-actionpack package,
as shipped with Fedora release of 10, 11 and 12.
This issue affects the version of the rubygem-actionpack package,
as shipped with Extra Packages for Enterprise Linux 5 (EPEL-5) project.
For F-13/12/11 (i.e. for rubygem-actionpack 2.3.x) this is NOTABUG
because the usage of unverifiable_types is deprecated (and not used)
Only affects F-10 and EL-5, if any.
rubygem-actionpack-2.1.1-5.fc10 has been submitted as an update for Fedora 10.
rubygem-actionpack-2.1.1-5.el5 has been submitted as an update for Fedora EPEL 5.
rubygem-actionpack-2.1.1-5.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
rubygem-actionpack-2.1.1-5.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
This is CVE-2008-7248.
I think this can be closed.